1 / 17

HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS). Agenda. Role of CMS Security Rule Overview CMS’ HIPAA Security Strategy Providence Resolution Agreement Summary & Conclusion Q&A. Role of CMS.

bradley-summers
Download Presentation

HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Security OverviewCenters for Medicare & Medicaid Services (CMS)

  2. Agenda • Role of CMS • Security Rule Overview • CMS’ HIPAA Security Strategy • Providence Resolution Agreement • Summary & Conclusion • Q&A

  3. Role of CMS • CMS has delegated authority to enforce the non-privacy provisions of the HIPAA regulations: • Transactions and Code Sets • Identifiers (NPI, EIN) • Security • CMS is responsible for HIPAA enforcement as well as: • Regulatory/Policy Interpretation • Outreach and Education • Guidance and FAQs • New Regulations (including other ehealth related issues e.g. eRx)

  4. Security Rule Overview • Applies to Electronic Protected Health Information (EPHI) that a covered entity creates, receives, maintains, or transmits • Scalability/Flexibility • Based on organization size, complexity, technical capabilities and infrastructure, cost of security measures and potential security risks • Technologically Neutral • Describes “what” needs to be done vs. “how” it is to be done • Standards are required but the implementation specifications may be either required or addressable

  5. CMS’ HIPAA Security Strategy • CMS takes a three-prong approach to HIPAA Security. The three prongs are: • Outreach & Education • Enforcement • Compliance Reviews

  6. Outreach and Education Efforts • Federal and Non-Federal Collaboration • Develop/Disseminate Educational & Guidance Materials • Security Papers • Administrative, Physical and Technical Safeguards • Basics of Risk Analysis and Risk Management • Implementation for the Small Provider • Frequently Asked Questions • Security Compliance Review Checklist • Remote Use and Access Guidance • The materials can be found on the CMS Website at: http://www.cms.hhs.gov (under the link for Regulations and Guidance).

  7. Outreach & Education - Remote Use & Access Guidance Rationale • Increased risk to protected health information • Associated with increased remote access to EPHI • Increase in workforce mobility • Increase in use of portable media storage devices • Recent security related incidents • Reported loss or theft of devices containing EPHI • Reported access to health information by unauthorized users

  8. Outreach & Education - Highlights of Remote Access Guidance • Published December 28, 2006 • Reiterates requirements of the HIPAA Security Rule • Identifies strategies consistent with organizational capabilities (Scalable and Flexible) • Pertains to Access, Storage and Transmission of EPHI • Three categories of action highlighted: • Conducting Security Risk Assessment • Developing and Implementing Policies and Procedures • Implementing Mitigation Strategies

  9. HIPAA Security Enforcement – Current Process • Review complaint to determine validity and scope • Notify “Filed Against Entity” (FAE) of complaint • Request specific documents from the FAE • Assess documents to determine if they: • Demonstrate compliance • Demonstrate the need for a Corrective Action Plan (CAP) • Monitor CAPs to completion • Close complaint upon demonstration of compliance • Issue closure correspondence to all parties

  10. HIPAA Security Enforcement – Overlapping Complaints • CMS and the Office for Civil Rights (OCR) collaborate on cases that overlap the Security and Privacy Rules • Approximately 70% of the CMS Security cases are referrals from OCR • Majority of Security complaints – allegation of inappropriate access and risk of inappropriate disclosure

  11. HIPAA Security Enforcement - Complaint Categories • Unauthorized access to EPHI • Employees or relatives accessing EPHI • Loss or theft of devices containing EPHI • Small volume of complaints; large volume of records • Insufficient access controls for systems containing EPHI • Shared passwords • Encryption • CMS has received 350 Security Rule complaints • 102 cases are open • 248 case have been resolved

  12. Onsite HIPAA Security Compliance Reviews • Contracted with Price Waterhouse Coopers (PwC) for 10 reviews in 2008 • Reviews place emphasis on remote use and access issues • CMS publishes de-identified post-review information • Initial target: • Entities against whom a complaint has been filed and • Reported risk to security of large volume of records • The compliance reviews will be used as a tool to achieve voluntary compliance

  13. Onsite HIPAA Security Compliance Reviews - Continued • Compliance reviews have revealed several key areas of vulnerability to include: • Lack of encryption for portable devices and media • Lack of verification of role-based access privileges • Reviews have resulted in CAPs that include: • Policies and procedures for remote use/access • Designation of internal security audit personnel • Compliance review cases are generally closed when CMS verifies completion of CAP

  14. OIG Security Audit Initiative • Objective is to determine if certain covered entities have implemented measures in accordance with provisions of the HIPAA Security Rule • The recent OIG review of Piedmont Hospital highlighted issues related to: • Technical safeguard vulnerabilities for wireless communications • Vulnerabilities involving physical access to electronic information systems and the facilities • Administrative safeguard vulnerability related to business associate contracts

  15. Providence Resolution Agreement – What Does it Mean? • Background: • Case involved 386,000 unencrypted patient records • $100,000 resolution amount paid to HHS • 3 year corrective action monitoring • Significance: • Landmark case – First resulting in monetary fine • Sets the stage for similar action for similar cases • Represents the evolution of CMS’ enforcement efforts

  16. Summary & Conclusion • Security provides opportunity and obligation • CMS’ three-pronged approach: • Outreach and Education • Enforcement • Compliance Review • Consequences of non-compliance: • Loss of resources • Loss of time • Loss of TRUST

  17. Discussion and Questions

More Related